Bugtraq mailing list archives

Re: Default configuration in WatchGuard Firewall

From: Ryan.Russell () SYBASE COM (Ryan Russell)
Date: Sat, 4 Sep 1999 10:42:53 -0700


It's always a good idea to disable pings from the outside to your internal
network.  I don't mean to discourage anyone from doing so, but...

   # route add -net 192.168.0.0 netmask 255.255.255.0 gw 100.100.100.100


This only works if you are on the 100.100.100 network, i.e. one hop way.  Won't
work all the way across the Internet.  Have you tried it with source-routing?

   Solution is easy ... do not let pings to internal network.


Please do.  Does Watchguard give you some flexibility about what ICMP to let
in?  I.e. can you shut off the pings in, but still leave on ICMP unreachables,
in order to not break path MTU discovery?  Does it do the stateful thing and
let ICMP echo replies in only if a request was sent, etc?

ICMP is also one of the many interesting things that Firewall-1 leaves on by
default.  Newbie FW-1 admins usually don't know to go through the properties
screen and disable all the things on by default.

                              Ryan

Current thread:

Default configuration in WatchGuard Firewall Alfonso Lazaro (Sep 02)
- Re: Default configuration in WatchGuard Firewall Chris Brenton (Sep 04)
- Re: Default configuration in WatchGuard Firewall Pavel Kankovsky (Sep 05)
- <Possible follow-ups>
- Re: Default configuration in WatchGuard Firewall Ryan Russell (Sep 04)
  - Disabling everything Dr. Joel M. Hoffman (Sep 09)
- Re: Default configuration in WatchGuard Firewall Steve Fallin (Sep 07)
- Re: Default configuration in WatchGuard Firewall Steve Fallin (Sep 13)
- Re: Default configuration in WatchGuard Firewall Matt Bruce (Sep 14)